Double-Free Vulnerability in Das U-Boot Affected by Crafted ext4 Filesystem
CVE-2019-13105

7.8HIGH

Key Information:

Vendor

Denx

Status
U-boot
Vendor
CVE Published:
6 August 2019

What is CVE-2019-13105?

Das U-Boot versions 2019.07-rc1 through 2019.07-rc4 are susceptible to a double-free vulnerability that occurs when the system attempts to list files from a specially crafted ext4 filesystem. This flaw can lead to memory corruption, potentially resulting in unexpected behavior or crashes. Mitigation involves ensuring software is updated to versions that address this vulnerability and implementing strict validation measures for filesystem operations.

References

https://github.com/u-boot/u-boot/commits/master
x_refsource_MISC
https://lists.denx.de/pipermail/u-boot/2019-July/375513.html
x_refsource_MISC
https://gist.github.com/deephooloovoo/d91b81a1674b4750e66...
x_refsource_MISC

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.